SSL/TLS and HTTP/2 State of the SSL/TLS and HTTP/2 State of the ArtArt in Our Serversin Our Servers

Jean-Frederic Clere@jfclere

TMWhat I will coverWhat I will cover● HTTP/2

● HTTP/2 and ALPN● Servers

● Apache HTTPD● Tomcat● Trafc server

● Demos● Questions?

6/15/18 2

TMWho I amWho I am

Jean-Frederic Clere

Red Hat

Years writng JAVA code and server sofware

Tomcat commiter since 2001

Doing OpenSource since 1999

Cyclist/Runner etc

Lived 15 years in Spain (Barcelona)

Now in Neuchâtel (CH)

6/15/18 3

TMWhy HTTP/2Why HTTP/2

– HTTP/1.1: June 1999 (RFC 2616)● 1999:

– 1 page ~ 1kB HTML

● 2015:– 1 page ~ 3MB HTML + IMAGES + JS + CSS etc

– Protocol:● Not adapted / inefcient / etc

6/15/18 4

TMHTTP/2 generalHTTP/2 general

HTTP/2:

Binary

Frame

Multiplex

Based on SPDY

TLS everywhere:

Browers use https and strong ciphers

No forward proxy

h2c: Clear text only with reverse proxy (proxy to back-end server) requires upgrade.

6/15/18 5

TMHTTP/2 generalHTTP/2 general

Two specifcations:

Hypertext Transfer Protocol version 2 - RFC7540

HPACK - Header Compression for HTTP/2 - RFC7541

By the Internet Engineering Task Force

ALPN Application-Layer Protocol Negotiation - RFC 7301

6/15/18 6

TMHTTP/2 MultiplexedHTTP/2 Multiplexed

6/15/18 7

Headers

Data

Headers

HeadersHeaders Data Data

Headers Data Data

HeadersData

Headers

TMHTTP/2 : moreHTTP/2 : more

HTTP headers compression

~ 80 % save

Request priority

Both sides

Server Push

Prevent round trip to get element of a page

Faster / better rendering on browsers.

6/15/18 8

TMHTTP/2 When BrowsersHTTP/2 When BrowsersBrowser with HTTP/2 and TLS

FireFox 34

Chrome 40 (with ALPN before was NPN)

IE 11

Opera and Safari 9

Stats from docs.trafficserver and ci.trafficserver:

80% is over HTTP/2 (data from 23th of September 2016!)

→ go for it now!

6/15/18 9

TMALPN Client Hello (Firefox)ALPN Client Hello (Firefox)

6/15/18 10

TMALPN Server Hello (tomcat)ALPN Server Hello (tomcat)

6/15/18 11

TM

RequirementsRequirementsOpenSSL for our 3 servers

At least 1.0.2c

Tomcat (8.5 / 9.0 / trunk)

Tomcat-native (1.2.6 / trunk)

Java9

Httpd (2.4.17 / trunk)

HTTP/2 C Library (libnghttp2)

TrafcServer (since ATS v5.3.2).

Nothing except openssl.6/15/18 12

TM

StatusStatusTomcat (trunk/9.0/8.5)

Full support / released as stable.

Needs servlet 4.0 (JSR 369) for server PUSH API

9.0 with JDK9 (ALPN support)

Note that Java11 is early access!!! Use openJDK!

Httpd (available since 2.4.17)

Full support (since 2.4.20)

TrafcServer (since 5.3.0) (fow control 6.1)

Priorities (6.2.0) and Server PUSH (7.0.0)6/15/18 13

TMTC connector server.xml (8.5)TC connector server.xml (8.5)

<Connector port="8002" scheme="https" SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" SSLCertificateFile="/home/jfclere/CERTS/newcert.pem" SSLCertificateKeyFile="/home/jfclere/CERTS/newkey.txt.pem" protocol="org.apache.coyote.http11.Http11AprProtocol">

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <Connector/>

<Connector port="8003" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="conf/.keystore" keystorePass="changeit" socket.directBuffer="true" socket.directSslBuffer="true"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> </Connector>

TM

Tomcat / confgurationTomcat / confgurationIn bin/setenv.sh:

LD_LIBRARY_PATH=/home/jfclere/tomcat-native/native/.libs

export LD_LIBRARY_PATH

And the libtcnative-1.so linked with openssl-1.0.2c, checking with ldd:

libssl.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libssl.so.1.0.0 (0x00007f6ab147b000)

libcrypto.so.1.0.0 => /home/jfclere/OPENSSL-1.0.2c/lib/libcrypto.so.1.0.0 (0x00007f6ab1028000)

libapr-1.so.0 => /home/jfclere/APR-1.4.x/lib/libapr-1.so.0 (0x00007f6ab0dfa000)

Usually the openssl of recent distribution (fedora 23) will work.

6/15/18 15

TM

Tomcat / PerformancesTomcat / Performances

6/15/18 16

4KiB.bin8KiB.bin

16KiB.bin32KiB.bin

64KiB.bin128KiB.bin

256KiB.bin512KiB.bin

1MiB.bin

0

50000

100000

150000

200000

250000

300000

350000

400000

Concurency 240

coyote_nio_jsse_h1_https

coyote_nio_jsse_h2_https

File Size

Kb

yte

s / s

eco

nd

TM

Tomcat / PerformancesTomcat / Performances

6/15/18 17

4KiB8KiB

16KiB32KiB

64KiB128KiB

256KiB512KiB

1MiB

0

10

20

30

40

50

60

70

80

90

Concurency 240

coyote_nio_jsse_h1_https

coyote_nio_jsse_h2_https

File Size

CP

U U

sag

e

TM

Tomcat / DemoTomcat / DemoNo server push (may be change it: SimpleImagePush)

Multiplexing

headers compression

Page html page:

That requires a lot (~500) of (~4Kbytes) images to render.

6/15/18 18

TM

TrafcServer / ConfgurationTrafcServer / Confgurationrecords.config

CONFIG proxy.config.ssl.number.threads INT 0

CONFIG proxy.config.http.server_ports STRING 8888:ssl

CONFIG proxy.config.url_remap.pristine_host_hdr INT 1

CONFIG proxy.config.http2.enabled INT 1

CONFIG proxy.config.ssl.TLSv1_1 INT 1

CONFIG proxy.config.ssl.TLSv1_2 INT 1

ssl_multicert.config:

dest_ip=* ssl_cert_name=newcert.pem ssl_key_name=newkey.txt.pem

remap.config:

map / http://127.0.0.1:8080

ip_allow.config:

src_ip=192.168.1.38 action=ip_allow method=ALL

src_ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff action=ip_allow method=ALL

6/15/18 19

TM

TrafcServer / DemoTrafcServer / DemoLike tomcat one

Uses http/1.1 tomcat nio connector on 8080 as back-end.

6/15/18 20

TM

HTTPd / ConfgurationHTTPd / Confgurationhttpd.conf:

LoadModule h2_module modules/mod_h2.so

Listen 8006

<VirtualHost *:8006>

Protocols h2 http/1.1

ProtocolsHonorOrder on

SSLEngine on

SSLCertificateFile "/home/jfclere/CERTS/newcert.pem"

SSLCertificateKeyFile "/home/jfclere/CERTS/newkey.pem"

SSLCACertificateFile "/etc/pki/CA/cacert.pem"

</VirtualHost>

6/15/18 21

TM

HTTPd / PerformancesHTTPd / Performances

6/15/18 22

4KiB.bin8KiB.bin

16KiB.bin32KiB.bin

64KiB.bin128KiB.bin

256KiB.bin512KiB.bin

1MiB.bin

0

50000

100000

150000

200000

250000

300000

350000

400000

Concurency 240

httpd_h1_https

httpd_h2_https

File Size

KB

yte

s / s

eco

nd

TM

HTTPd / PerformancesHTTPd / Performances

6/15/18 23

4KiB 8KiB 16KiB 32KiB 64KiB 128KiB 256KiB 512KiB 1MiB0

10

20

30

40

50

60

70

80

Concurency 240

httpd_h1_https

httpd_h2_https

File Szie

CP

U u

sag

e

TM

HTTPd / Confguration proxyHTTPd / Confguration proxyhttpd.conf:

LoadModule http2_module modules/mod_http2.so

LoadModule proxy_http2_module modules/mod_proxy_http2.so

Listen 8006

<VirtualHost *:8006>

Protocols h2 http/1.1

ProtocolsHonorOrder on

SSLEngine on

…

ProxyPass "/" "h2c://localhost:8003/"

</VirtualHost>

6/15/18 24

TM

HTTPd / DemoHTTPd / DemoLike the tomcat one:

htdocs/http2.html

htdocs/images/ the images.

6/15/18 25

TM

HTTP/2 ready?HTTP/2 ready?Conclusion:

Using HTTP/2 without PUSH is already good.

“safer” crypto is good but expensive.

No need to rewrite application to get the gains.

GO FOR IT

6/15/18 27

TM

Questions?Questions?Thank you!Thank you!jfclere@gmail.com

users@tomcat.apache.org

users@httpd.apache.org

users@trafficserver.apache.org

https://http2.github.io/

Demo generator:

https://github.com/jfclere/h2_demos

6/15/18 28

TM

Jean-Frederic Clere@jfclerejfclere@gmail.com